Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
4
Replies

GRE over IPsec in Tunnel Mode same as IPsec over GRE?

Talmoro
Level 1
Level 1

‎04-13-2025 02:39 AM

Hello,

I'm currently studying for the ENCOR exam and came across the topic GRE over IPsec in Tunnel Mode / IPsec over GRE.
The OCG describes GRE over IPsec in tunnel mode as follows:

"In [GRE over IPsec] tunnel mode, the original packet is encapsulated in GRE, the entire GRE packet is encrypted by IPsec, and a new IPsec IP header is added. For this reason, GRE over IPsec in tunnel mode is commonly referred to as IPsec over GRE."

I always thought it was the other way around - on IPsec over GRE the outer header is GRE and not IPsec. So i tried to look around on the internet but I have found several contradictory sources in this regard.
Could someone help me elaborate which way its now correct?

Thank you!

Labels:
0 Helpful
4 Replies 4

M02@rt37
VIP
VIP

‎04-13-2025 02:55 AM

Hello @Talmoro 

IPsec over GRE: The IP packet is encrypted first with IPsec, and the resulting packet is then encapsulated in GRE. So GRE is the outermost protocol.

GRE over IPsec: The IP packet is first encapsulated in GRE, and then the GRE packet is encrypted and encapsulated by IPsec. IPsec is the outermost protocol.

https://harrymaq.medium.com/difference-between-ipsec-over-gre-gre-over-ipsec-b655b7baf9f1

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Talmoro
Level 1
Level 1
In response to M02@rt37

‎04-13-2025 03:32 AM

The OCG states its the other way around. Also does this post:
https://ipwithease.com/gre-over-ipsec-vs-ipsec-over-gre/

Thats what confuses me.

0 Helpful

M02@rt37
VIP
VIP
In response to Talmoro

‎04-13-2025 04:10 AM - edited ‎04-13-2025 04:10 AM

@Talmoro 

IPsec over GRE is more rare and less practical  so it means that ipsec is established first, and GRE traffic is sent over that encrypted upsec tunnel.

The OCG and your linked article confirm tha GRE over ipsec is the more typical and functional design...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to M02@rt37

‎04-13-2025 03:33 AM

M02@rt37 's reference mentions fragmented packets, just once, and using transport mode just twice, recommending the latter.  Although transport mode is a valid suggestion, understandimg how to avoid fragmentation on any tunnel is very much worth knowing.  I recommend https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html.

0 Helpful
Customers Also Viewed These Support Documents